Security of string resources

2019-03-26 03:03发布

问题:

I was wondering what's the security of Android's resources folders (I'm especially concerned with strings). I know, I know, it would be ridiculous to store a password in Strings.xml. It's not like that, but how easy it is to snoop on these resources, to access sensible app info?

回答1:

Unfortunately it is pretty easy to get to the resources. Tools like apktool enable to do that. I have raised a similar question here. You may want to take a look.



回答2:

Easy on a rooted phone. Expect anyone can read your string resources shared preferences, etc. I just hooked up ADB, changed to /data/data/com.tumblr/shared_preferences and read my username and password in the clear.

You can also download and decompile the apk. If you need to keep it secret, encrypt it.



回答3:

The primary rule of thumb here is that ANYTHING stored on the device is open for sniffing and cracking.

There is no such thing as local security against those in physical control of the device.

Even if you encrypt it, the keys for decryption have to exist on the device or be easily accessible by the device.

As a side note, this is the number one reason for features such as Remote Wipe.

So, if you plan on storing something sensitive or just plain don't want a slightly interested user to see the data you've stored on the phone, then you're out of luck.



回答4:

I know that the xml files are scrambled in the apk, but there is a hacker tool for unscrambling them back to plain text. I can't remember the name of it but I found it OK via Google. It works unfortunately!